Cyber Incident Victim: Poland
Date:
Oct 2022
Location:
Poland
Summary
A ransomware campaign employing the newly identified Prestige malware targeted organizations in Poland and Ukraine, attributed to a Russian-aligned threat actor with historical activity against Ukrainian entities. The attacks involved rapid encryption of data and systematic destruction of system components, disrupting operations in the transportation and logistics sectors while causing significant data loss.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 11, 2022, a newly identified ransomware variant dubbed "Prestige" targeted organizations primarily in the transportation and logistics sectors across Ukraine and Poland. The attacks commenced simultaneously, with initial infections observed in Ukraine before expanding to Polish entities within hours. The ransomware employed a multi-stage execution process, beginning with the deletion of Volume Shadow Copy Service (VSS) backups to hinder recovery efforts. Attackers utilized living-off-the-land binaries (LOLBins) and legitimate remote administration tools like Impacket for lateral movement within compromised networks. Microsoft Threat Intelligence Center (MSTIC) observed the ransomware terminating database and virtual machine processes to facilitate encryption, particularly focusing on VMware ESXi servers commonly used in enterprise environments. The malware appended the ".encrypted" extension to affected files and dropped ransom notes titled "README.txt" containing payment instructions. Forensic analysis revealed Prestige used a combination of AES and RSA encryption algorithms, with unique keys generated per victim.
The incident disrupted critical supply chain operations in both countries during a period of heightened regional instability. Affected organizations experienced operational paralysis due to encrypted systems, though specific company names weren't publicly disclosed. Microsoft Defender for Endpoint and Microsoft Sentinel detected the activity through behavioral analytics identifying suspicious process termination patterns and anomalous remote command execution. Investigators noted the attacks displayed geographical focus but found no conclusive evidence linking them to known threat actors at the time of disclosure. The ransomware's infrastructure reused some command-and-control IPs previously associated with other ransomware campaigns, though with distinct operational tactics. Response efforts involved isolating infected systems, restoring from offline backups where available, and coordinated information sharing between national CERT teams. The incident highlighted heightened risks to critical infrastructure sectors amid ongoing regional conflicts, with the transportation vertical's targeting suggesting strategic intent to amplify secondary economic impacts.